Forum Discussion
reldar_76465
Nimbostratus
NimbostratusAllowing access by referrer
Hi,
I have a client who wants to exclusively connect to a web site we created for them. we agreed to do this by identifying the referrer they are coming to our site with.
As they are coming from an https site, I added SSL to our site as well so I can capture the referrer (linking from https to http drops the referrer).
I setup the following rule for this:
when HTTP_REQUEST {
switch -glob [HTTP::path] {
"*/handlers/*" { }
default {
switch -glob [HTTP::header "Referer"] {
"https://www.example.com/*" {
HTTP::redirect "https://www.oursite.com"
}
"www.oursite.com/*" { }
"" { HTTP::respond 403 content "" }
}
}
}
}
the first part with the /handlers/ in the path is because our site is loading itself to load a component in it, this is how I solved this part.
I need a redirect because I want the address to change when going to our site.
this iRule is installed on the virtual server of the https site.
The problem: the redirect is going into a loop. any ideas?
Thanks.
Michael_YatesHi reldar,
Could you provide some additional information on the redirect loop that you are referring?
If you are looking for a Referer "https://www.example.com" and it is redirecting to a different URL "https://www.oursite.com", is that second URL on the same Virtual Server? If not, then how are you getting into a loop?
reldar_76465OK, so it's getting more complicated.
We cannot support https on our site so I have to redirect the traffic to http which is a different virtual server for the same site.
There I still need an irule in place as I still need to filter traffic coming to it. but once redirected from the https virtual server to the http virtual server, the referrer is dropped.
So I guess I need to add some kind of a cookie on the https irule and look for it on the http irule and allow access.
Any ideas how this can be set?
many thanks for the help
hooleylistCirrostratus
It's a bad security practice to depend on the Referer header to verify whether a request should allowed to a web app. The referer header (and all other HTTP headers) can easily be spoofed by a malicious client. It would be much more secure to use some authentication mechanism to enforce access control. Or worst case, lock access down by source IP address.
Aaron- reldar_76465
yes, that;s true and I'm aware of this, but this is how the client wants to do this.
also, the IP option is not feasable as the site referring to me is open from everywhere to everyone, so there is no one IP or a group of IP's I can allow.
does someone have an idea where i can find an example of how to add a cookie to a session, and how to allow access by a cookie?
many thanks for the help.